gpg: Remove support for PKA.

* g10/gpg.c (oPrintPKARecords): Remove. (opts): Remove --print-pka-records. (main): Remove "pka-lookups","pka-trust-increase" and other PKA stuff. * g10/options.h (EXPORT_DANE_FORMAT): Remove. (VERIFY_PKA_LOOKUPS, VERIFY_PKA_TRUST_INCREASE): Remove. (KEYSERVER_HONOR_PKA_RECORD): Remove. * g10/packet.h (pka_info_t): Remove. (PKT_signature): Remove flags.pka_tried and pka_info. * g10/parse-packet.c (register_known_notation): Remove "pka-address@gnupg.org". * g10/pkclist.c (check_signatures_trust): Remove PKA stuff. * g10/call-dirmngr.c (gpg_dirmngr_get_pka): Remove. * g10/export.c (parse_export_options): Remove "export-pka". (do_export): Adjust for this. (write_keyblock_to_output): Ditto. (do_export_stream): Ditto. (print_pka_or_dane_records): Rename to ... (print_dane_records): this and remove two args. Remove PKA printing. * g10/free-packet.c (free_seckey_enc, cp_pka_info): Adjust for removed pka_info field. * g10/getkey.c (get_pubkey_byname): Make AKL_PKA a dummy. * g10/keyserver.c: Remove "honor-pka-record". (keyserver_import_pka): Remove. * g10/mainproc.c (get_pka_address): Remove. (pka_uri_from_sig): Remove. (check_sig_and_print): Remove code for PKA. -- PKA (Public Key Association) was a DNS based key discovery method which looked up fingerprint by mail addresses in the DNS. This goes back to the conference where DKIM was suggested to show that we already had a better method for this available with PGP/MIME. PKA was was later superseded by an experimental DANE method and is today not anymore relevant. It is anyway doubtful whether PKA was ever widely used. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2021-02-02 19:53:21 +01:00 · 2021-02-02 19:53:21 +01:00 · 7f3ce66ec5
commit 7f3ce66ec5
parent fde7d83357
17 changed files with 35 additions and 464 deletions
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@ -710,57 +710,6 @@ check_signatures_trust (ctrl_t ctrl, kbnode_t keyblock, PKT_public_key *pk,
  if ((trustlevel & TRUST_FLAG_DISABLED))
    log_info (_("Note: This key has been disabled.\n"));

-  /* If we have PKA information adjust the trustlevel. */
-  if (sig->pka_info && sig->pka_info->valid && !(uidbased && !targetuid))
-    {
-      unsigned char fpr[MAX_FINGERPRINT_LEN];
-      PKT_public_key *primary_pk;
-      size_t fprlen;
-      int okay;
-
-      primary_pk = xmalloc_clear (sizeof *primary_pk);
-      get_pubkey (ctrl, primary_pk, pk->main_keyid);
-      fingerprint_from_pk (primary_pk, fpr, &fprlen);
-      free_public_key (primary_pk);
-
-      if ( fprlen == 20 && !memcmp (sig->pka_info->fpr, fpr, 20) )
-        {
-          okay = 1;
-          write_status_text (STATUS_PKA_TRUST_GOOD, sig->pka_info->email);
-          log_info (_("Note: Verified signer's address is '%s'\n"),
-                    sig->pka_info->email);
-        }
-      else
-        {
-          okay = 0;
-          write_status_text (STATUS_PKA_TRUST_BAD, sig->pka_info->email);
-          log_info (_("Note: Signer's address '%s' "
-                      "does not match DNS entry\n"), sig->pka_info->email);
-        }
-
-      switch ( (trustlevel & TRUST_MASK) )
-        {
-        case TRUST_UNKNOWN:
-        case TRUST_UNDEFINED:
-        case TRUST_MARGINAL:
-          if (okay && opt.verify_options&VERIFY_PKA_TRUST_INCREASE)
-            {
-              trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_FULLY);
-              log_info (_("trustlevel adjusted to FULL"
-                          " due to valid PKA info\n"));
-            }
-          /* fall through */
-        case TRUST_FULLY:
-          if (!okay)
-            {
-              trustlevel = ((trustlevel & ~TRUST_MASK) | TRUST_NEVER);
-              log_info (_("trustlevel adjusted to NEVER"
-                          " due to bad PKA info\n"));
-            }
-          break;
-        }
-    }
-
  /* Now let the user know what up with the trustlevel. */
  switch ( (trustlevel & TRUST_MASK) )
    {